Multi-Factor Authentication (MFA)

Language:
EN

Short link for this page: utwente.nl/mfa.

To keep your data safe, Multi-factor authentication (MFA) is necessary for UT systems.

Passwords can be easily compromised. MFA immediately increases your account security by requiring multiple forms of verification to prove your identity when signing into an application.

MFA reset tool

Employees and students can now reset MFA through https://mfa-reset.utwente.nl/ and don't need to contact the Servicedesk ICT*

*registration of a correct email address in MyHR (employees) or Studielink (students) is required.

The requirements for processing sensitive personal data have been increased with the General Data Protection Regulation (GDPR). Sensitive personal data are, of course, sensitive by nature and enjoy extra protection under the GDPR. Using only a username and password to log in no longer suffices. The UT uses several applications that process sensitive personal data. On the basis of the GDPR, the UT must provide additional security for these applications via authentication in multiple steps: MFA. 

Number matchting

With number matching, the Authenticator app asks to enter a two-digit number, which is displayed when someone wants to log in. After the number has been entered into the app, the login process continues.

Manuals

  • These manuals are written for employees, students and x-accounts.
  • You need a smartphone with Android or iOS.
  • You need a UT e-mail address (x-account => x1234567@utwente.nl) and password.
  • These manuals use a consistent style of writing: references to text and buttons on screens are printed in italics, information that you have to enter yourself is printed in bold.
  • Multi-Factor Authentication - App Manual students & employees

    When switching to a new phone, make sure to add it here (select Add method) before deleting the Microsoft Authenticator app on your old phone. 

    Set up Multi-Factor Authentication

    Open an application for which Multi Factor Authentication is enabled (or click here). Log in with your UT e-mail address (x-account => x1234567@utwente.nl) and password. Next you will see the following message:

    Click Next and download and install the Microsoft Authenticator app on your phone (AndroidiOS)

    Open the Microsoft Authenticator app on your phone and click Next on the pc. 

    Allow the app to access the camera and add an account. Select Work or School and click Next on the pc.

    Scan the QR code displayed on the pc with your phone and click Next.

    A test notification is sent, please unlock your phone with fingerprint, face, or PIN and approve. If successful, you will see the following message:

    Click Next, the Microsoft Authenticator app is configured. Click Done in the next screen to continue signing in.

    We advise you to set up a second verification method. You can add an extra method here.

    FAQ

  • Multi-Factor Authentication - App Manual UT guest

    When switching to a new phone, make sure to add it here (select Add method) before deleting the Microsoft Authenticator app on your old phone. 

    Set up Multi-Factor Authentication

    Open an application for which Multi Factor Authentication is enabled. Log in with your e-mail address and password. Next you will see the following message:


    Click Next and download and install the Microsoft Authenticator app on your phone (AndroidiOS)

    Open the Microsoft Authenticator app on your phone and click Next on the pc. 

    When prompted, allow notifications. Then add an account,  and select “other account (Google, Facebook, etc.)"

    Scan the QR code displayed on the pc with your phone and click Next.

    Click Next.

    A test notification is sent, please unlock your phone with fingerprint, face, or PIN and approve. If successful, you will see the following message:

    Click Next, the Microsoft Authenticator app is configured. Click Done in the next screen to continue signing in.

    We advise you to set up a second verification method. You can add an extra method here.

    For more information see: Add non-Microsoft accounts to the Microsoft Authenticator app

  • Multi-Factor Authentication - Yubico FIDO2 security key

    There are 2 ways to set up a FIDO2 security key as a sign-in method:

    • As an additional method
    • As the single method

    Note: Adding a Yubico FIDO2 security key on MacOS or Linux only works with Google Chrome browser.

    Add yubico fido2 security key As an additional method

    • Place the FIDO2 key correctly in the USB port with the sensor facing up.
    • Go to https://mysignins.microsoft.com and select Add method. Select Security key and choose Add. Approval may be requested.
    • Select USB device and click Next to set the security key. Select Next/OK in the following screens until a PIN needs to be set or entered.
    • Create a new PIN code (and remember it!) or enter an already set PIN code. Put your finger on the security key (2x when a new PIN code has been created) and then enter a name.
    • Click Done to finish adding the security key.
    • Reset security key in Windows
      1. Download and install YubiKey Manager.
      2. Insert your YubiKey into an available USB port on your computer.
      3. Open the YubiKey manager (administrator rights are required).
      4. Navigate to Applications > FIDO2.
      5. Click Reset FIDO, then YES.
      6. Follow the prompts from YubiKey Manager to remove, re-insert, and touch your key.

    ADD YUBICO FIDO2 SECURITY KEY AS the single method

    Note: do not us an InPrivate/incognito browser window.

    • Click + Add sign-in method, and select Security key from the dropdown menu.
    • Click Add and select USB device. Plug in the FIDO2 security key and select Next. Your device will redirect you to a new window to continue the security key setup.
    • In the pop up window, select Windows Hello or External Security Key. Click OK in the next window (this window may appear twice).
    • Select Security key and OK twice.

     

    • Now you have to create a PIN code for the FIDO2 security key and confirm it by touching the security key.

    • After setting up your security key you will return to the Mysignins website. Please enter a name for the security key and click next. Click Done to complete the setup.
    • To log in to UT apps: plug in the security key, enter your email address and password, enter the PIN of the security key and touch it with your fingertip.
  • Two-Factor verification in Google Apps for students

    2-Step Verification (also commonly known as two factor authentication) is an authentication technique in which you require two separate steps to authenticate yourself (i.e. your credentials and a code you receive via your phone). This increases the security level of your account.

    Why do you want to activate 2-Step Verification? For certain Google services, like an application specific password (which is necessary to import your student mail into an e-mail client), 2-Step Verification should be activated for your Google account.

    Step 1: Select account

    • Browse to https://googleapps.utwente.nl/ and login with your student credentials.
    • In the right upper corner, click on the Google Account Button (the most right circular button).
    • Click on My Account to access your student mail account.

    Step 2: My account

    • Click on Sign-in & security.

    Step 3: Sign-in and security

    • Scroll a bit down and click on the arrow on the right of 2-Step Verification.

    Step 4: 2-step verification

    • Click on GET STARTED.

    Step 5: Phone number

    • Enter your phone number in the form field. Make sure only you have access to this phone number. Use e.g. your mobile phone number for 2-Step Verification.
    • Select how you want to receive the security codes: Text message (SMS) or Phone call
    • Click NEXT

    Step 6: receive security code

    Google will now send you a security code to verify the phone number you entered in STEP 5.

    • Enter this code in the form field. NOTE: Security codes are private and should never be shared with anyone, not even UT-staff or Google personnel.
    • Click NEXT

    Step 7: Turn on 2-step verification

    • Click TURN ON to turn on 2-Step Verification.

     Now 2-Step Verification is activated and you are able to generate application specific passwords.

FAQ

  • Can I reset MFA myself?

    Employees and students can now reset MFA through https://mfa-reset.utwente.nl/ and don't need to contact the Servicedesk ICT (except when no private email address is registered).

  • Why is Multi-Factor Authentication necessary?

    In the General Data Protection Regulation (GDPR), the criteria set for processing special personal data have been tightened. Special personal data is highly sensitive and therefore receives additional protection under the GDPR. Logging in with a username and password is no longer sufficient.
    The UT utilises multiple applications within which personal data is processed. The GDPR stipulates that these applications are additionally secured by means of authentication in two steps: MFA.

  • Why is logging in with only my account and password insufficiently secure?

    Programmes may contain data to which others are not permitted access. This may include research data, examination results, or bank account numbers. Passwords can be found out with relative ease, for example when you:

    • use the same password for multiple websites;
    • download malicious software from the internet;
    • accidentally activate incorrect links in a phishing email;
    • provide your password to others.

    Thanks to additional authentication, the university can exclude information from unwanted individuals, even when they possess your password. For this reason, your additional authentication is for personal use only.

  • What is the risk of others knowing my password?

    An individual in possession of your password can block access to your account and:

    • view or even delete your emails, contacts, and educational or research data;
    • masquerade as you and send unsolicited or malicious emails to your contacts;
    • use your account to reset the passwords for your other accounts;
    • gain access to all information accessible to you, such as student data.
  • Which applications require MFA?

    MFA is required for:

    • All Office 365 applications for e.g. Teams, OneDrive (except Outlook).
    • Self-service Portal
    • Planon
    • MyHR (AFAS)
    • All applications connected to SURFconext
    • SAML Applications
    • My TimeTable
    • WiKi
    • Employee portal
    • Canvas

    These and other applications will also be added in 2021.

  • No MFA in exam rooms Therm en NoordHorst?

    At the UT, access to UT applications is secured with MFA, for this, you need a mobile for validation. An exception to this is, the digital tests, taken in the Therm and Noordhorst exam rooms on Chromebooks. This exception is because students are not allowed to use their mobile phones during exams.

  • How do I change my MFA settings?

    You can change the MFA settings here.

  • Need to regularly approve MFA messages in a browser?

    We have the following tip:

    • Use Microsoft Edge as your browser, click on the profile icon at the right side of the address bar and click "Sign In". Then sign in with your work or school account.

Mobile telephone

  • I have a new smartphone | My current smartphone is stolen or reset | I have collected a spare smartphone. What should I do? 

    If you have a new smartphone due to replacement, loss or theft, you must reconfigure the MFA app. There are two possibilities:

    • When switching to a new phone, make sure to add it here (select Add method) before disposing of the old phone.
    • If you no longer have access to the (old) device, you can reset MFA through https://mfa-reset.utwente.nl/.
  • Is it necessary to provide the UT with my mobile telephone number?

    The UT does not require your mobile telephone number, and this will not be requested and/or registered.

  • I don't want to use my private telephone for work. How can I log in with MFA? (employees)

    If the UT has not provided you with a mobile telephone and you don't wish to use a private smartphone for the MFA, you can obtain a low-budget mobile telephone via the LISA self-service portal. The charges will be covered by the faculty/service department. You will require an OFI number from your organisation for ordering a low-budget telephone.

  • I don't have an internet connection on my mobile telephone, will the app still work?

    An internet connection (WiFi/3G/4G) is only required for app installation/activation and number matching. Once it's set you can also use the time-based, one-time passcode in the app.

  • Why does the MFA app request access to the camera? 

    The app requires camera access to scan a code during installation and use of additional authentication. The app only activates the camera for these purposes.

  • Why am I unable to scan the QR code? 

    Tips for successful QR code scanning: 

    • Zoom level of PC browser set to minimum 100%
    • While scanning, do not hold the device too close to the screen! Make sure that the QR code fills approx. 25% of the screen. Hold the device still!
    • Hold your smartphone very still while scanning. Your smartphone may need a few moments for scanning, as the camera must first zoom in on the QR code.
    • Ensure that only the QR code is in the frame when scanning.
    • Keep any objects, such as your finger, from obstructing the camera during scanning.
    • Increase the brightness of your computer screen. This increases the contrast of the QR code, making it easier for your camera to scan.
  • My smartphone is at home and I cannot log in to additionally secured systems now. What should I do?
    • Collect your smartphone, if possible.
    • In case the organisation has a spare smartphone it can be used temporarily. Go to https://mfa-reset.utwente.nl/ to reset MFA and set it up again.
  • Which Android or iOS version do I need for the Microsoft Authenticator app?

    For Android, click here.

    For iOS, click here.

  • When do I have to validate again with MFA?

    You must re-validate MFA:

    • after you have changed from workstation/browser
    • after you have changed your password 
    • if you did not use your workstation/browser for a period of 90 days

    * To reduce the number of approvals in a browser you can use the Edge browser and log in with your UT account.

  • Can I disable the use of fingerprint, face, or PIN with every prompt for authentication?

    Yes, you can disable it in the settings in the Microsoft Authenticator app.

  • How do I add or remove a sign-in method?

    Go to https://mysignins.microsoft.com/security-info to add or remove a sign-in method.

Authentication, verification, etc.

  • How does offline use of additional authentication work?

    During offline use, the Microsoft Authenticator app automatically create an offline code which can be entered on your screen. This allows you to use the additional authentication offline at all times.

  • Can I authorise someone else to log in on my behalf?

    No, this is not possible. MFA is for personal use only and cannot be transferred.

  • Need to approve MFA regularly?

    If you regularly have to approve MFA messages in a browser, we have the following tip:

    Use Microsoft Edge as your browser, click on the profile icon at the right side of the address bar and click "Sign In". Then sign in with your work or school account.

  • What is number matching?

    Microsoft has found criminals to use something called MFA fatigue attacks. When criminals have a user's credentials, they usually can't access the account because of MFA. In an MFA fatigue attack, the criminal will try to log in frequently in a very short period.

    The criminal expects the user to get weary from the number of requests from the Authentication app. The user might think it is a request generated by his Outlook app or Teams. At one time, the user will confirm the request and give the criminal, unwittingly, access to their account.

    The Microsoft Authenticator (shown on the right) will display information about the application and ask you to enter a two-digit number. The Single Sign-On page will give you a number when logging in (as shown in the picture below on the left). After you copy the number, the login process will continue.

CONTACT

All UT students and employees with questions, problems, requests for information or reports regarding ICT are welcome at the Service Desk ICT on the ground floor of the Citadel building (entrance at O&O square)

Servicedesk ICT (campus location)
Servicedesk ICT (campus location)

Opening hours: 08.30 - 17.00 hrs.

Post address: University of Twente, T.a.v. Servicedesk ICT, Postbus 217, 7500 AE Enschede

My favorites

About My Favorites
Use the Bookmark this page button on Service Portal pages to add that page to the My Favorites section. To add web applications, use the star icon in the webapplication list. To add pages outside the Service Portal, use the Add custom bookmark button above. Add your favorite apps to your bookmarks by using the favorite button

Please wait a moment...